Only 10% of Web Applications Are Secured Against Common Hacking Techniques

So you’ve buttoned down the hatches on your firewall, routers, and everything else. But there’s one gaping hole – your new-fangled web application. A hacker can input some code into one of the database fields and open up a back door! Yikes.
WebCohort, Inc., the leader in web application security, today announced the results of four years of penetration testing on more than 250 web applications including e-commerce, online banking, enterprise collaboration, and supply chain management sites.
The vulnerability assessments conducted by WebCohort’s Application Defense Center (ADC) concluded that at least 92% of web applications are vulnerable to some form of hacker attacks. The most common vulnerabilities were cross-site scripting (80%), SQL injection (62%) and parameter tampering (60%). While these types of hacking attacks are common, most enterprises have not adequately secured web sites, applications and servers against them. Despite common use of defenses such as firewalls and intrusion detection or prevention systems, hackers can access valuable proprietary and customer data, shut-down websites and servers, defraud businesses, and introduce serious legal liability without being stopped or, in many cases, even detected.
“More robust network security has driven hackers to view web applications as easier targets. Four years of our Application Defense Center’s experience have proven this is an accurate assessment,” said Shlomo Kramer, CEO of WebCohort. “We are only beginning to see the risks to businesses and consumers these vulnerabilities introduce.”
In 2001, Gartner Group reported that 75% of cyber attacks and Internet security violations are generated through Internet Applications. Years later, web applications have yet to be secured.
The Federal Trade Commission announced in January that Internet-related fraud was the reason for more than 500,000 of consumer complaints filed in 2003, with estimated consumer losses of $200 million in the U.S. alone. The total cost of Internet fraud is compounded by business losses, legislative, regulatory and law enforcement costs, and diminished consumer trust in the Internet throughout the world. Unsecured web applications leave the back door wide open to Internet fraud and other forms of hacking attacks.
The results of the WebCohort Application Defense Center’s penetration testing from January 2000 to January 2004 are:
Most Common Application Layer Vulnerabilities
Attack Percent vulnerable
Cross-site scripting 80%
SQL injection 62%
Parameter tampering 60%
Cookie poisoning 37%
Database server 33%
Web Server 23%
Buffer overflow 19%